CVE-2023-25675 : What You Need to Know

This CVE was assigned on February 9, 2023, and published on March 24, 2023, by GitHub_M. It is related to TensorFlow experiencing a Segfault in Bincount when using XLA.

Understanding CVE-2023-25675

This vulnerability impacts TensorFlow versions prior to 2.12.0 and 2.11.1 when interacting with XLA, resulting in a segfault in

tf.raw_ops.Bincount

under specific conditions regarding the

weights

parameter.

What is CVE-2023-25675?

CVE-2023-25675 highlights an issue in TensorFlow, an open-source machine learning platform, where the segfault occurs when providing the

weights

parameter in

tf.raw_ops.Bincount

that does not match the shape of the

arr

parameter or is not a length-0 tensor. The vulnerability has been addressed in TensorFlow versions 2.12.0 and 2.11.1.

The Impact of CVE-2023-25675

This vulnerability poses a high risk with a CVSS base score of 7.5, indicating a significant impact on availability. However, it does not affect confidentiality or integrity and does not require any specific user privileges for exploitation.

Technical Details of CVE-2023-25675

The following details provide insights into the vulnerability's description, affected systems, and the exploitation mechanism:

Vulnerability Description

The vulnerability arises in TensorFlow when using XLA, specifically in the

tf.raw_ops.Bincount

function, leading to a segfault when certain conditions related to the

weights

parameter are met.

Affected Systems and Versions

The affected systems are those running TensorFlow versions prior to 2.12.0 and 2.11.1 with XLA enabled. The specific issue occurs when incompatible

weights

parameters are provided to the

tf.raw_ops.Bincount

function.

Exploitation Mechanism

Exploiting this vulnerability involves triggering the segfault in

tf.raw_ops.Bincount

by supplying a

weights

parameter that does not align with the expected shape requirements, causing the application to crash.

Mitigation and Prevention

Taking immediate steps and implementing long-term security practices are crucial in mitigating the risks associated with CVE-2023-25675. Additionally, applying patches and updates provided by TensorFlow is essential to prevent any exploitation of this vulnerability.

Immediate Steps to Take

Users are strongly recommended to update their TensorFlow installations to versions 2.12.0 or 2.11.1 to mitigate the vulnerability and prevent potential segfaults in

tf.raw_ops.Bincount

.

Long-Term Security Practices

Maintaining up-to-date software, implementing secure coding practices, and conducting regular security audits can help enhance the overall security posture and prevent similar vulnerabilities in the future.

Patching and Updates

Users should regularly check for security advisories and updates from TensorFlow to stay informed about patches addressing CVE-2023-25675 and other potential vulnerabilities, ensuring their systems are adequately protected.